We’re regularly getting people reaching out and asking for either jobs or career advice.

So what does it take to get into cybersecurity, and penetration testing in particular?

Caveats: These are the views of Pākiki, other pentesting companies may have different policies or things they value. If you have your heart set on a particular employer, it’s worth reaching out to them to see if they have particular requirements. It’s also worth mentioning that Simon Howard posts a yearly guide on Getting Started as a Penetration Tester in NZ. While we have a different focus, there’s a lot of overlap. Otherwise, these tips should put you in a good place to apply for penetration testing roles in Aotearoa.

Baseline skills

Our experience from previous companies is that at the entry level, there are lots of great candidates who apply and many will go on to do great things; However, we need to make the tough decision on who to hire from that candidate pool.

These are broadly the things we look for:

• Baseline technical skills: You should have a fundamental understanding of how web technologies work, how networks work, etc. While we can teach security, we don’t have the capability to teach the equivalent of a full computer science degree (although see below for our views on formal qualifications).
• Learning: How quickly you can learn and get up to speed with new technologies. Security is fast evolving, and as part of consulting, you will be exposed to technologies you have never seen before. Being able to quickly understand something and apply your skills in a new environment is essential.
• Team fit: Will your skills and personality complement the existing team? Are there likely to be personality clashes?
• Formal English skills: Our main deliverable to clients is a report and at Pākiki, we put an emphasis on quality. You can be the best ethical hacker in the world, but you also need to be able to explain what you’ve found and tell people what it means to them. While we have tools to help significantly with reporting, you will still need to be able to write well.
• People skills: Ultimately pentesting is about helping people understand vulnerabilities in their systems so that they can fix them (or understand the implications of not fixing it so they can make an informed decision). This is a consulting role, and sometimes that involves going on-site to corporate/government clients and explaining technical things to less technical people. That doesn’t mean you need to have the right words to say from day one, or be a social butterfly. We won’t throw you in the deep end or send you on-site without support until you’re ready, but you will need to have the people and communication skills to work within those environments from time to time.
• Passion: While we strongly value a good work-life balance (see our perks), we want people who are passionate about finding good vulnerabilities and/or keeping kiwis safe.

Basically, we care about the things we can’t teach you. Although the more security knowledge you have, the more likely you are to succeed.

What about education/certifications?

We do not put a strong emphasis on formal education.

We believe that if somebody has the skills on their CV indicating that they have the potential to do the job, we should consider them for an interview. Filtering based on education just hinders candidates who are neurodiverse, struggle with University, or did not have the means to attend. In previous roles, some of our best people had no formal IT training or education.

Certifications are a useful way to provide structured learning; however, we have also interviewed candidates with industry-leading certifications who couldn’t carry out basic tasks. As with any other type of formal education, you get out what you put in.

What we really care about is what you can do in practice, not a piece of paper showing that you can sit in a classroom for 6 hours a day or that you perform well under stressful exam settings.

Building Security Technical Skills

In the penetration testing world, there are broadly two distinct types of tests:

• Applications: whether they be web applications, mobile applications, APIs, desktop applications, etc.
• Networks/Infrastructure: which consists of attempting to compromise systems via weak services, or misconfigurations. It also includes auditing systems for vulnerabilities.

Again, for entry-level roles, you don’t need to be an expert in everything you’ll encounter; however, having the baseline skills and showing that you know about the common vulnerabilities will put you ahead in interviews.

Application Testing

There are guides online such as the OWASP Testing Guide which contain lists of common vulnerabilities and how to search for them.

There are also sets of exercises online, such as Pentester Labs or PortSwigger Academy. Both have explanations of vulnerability classes and a variety of exercises to ensure you understand and find them.

For those exercises, you’ll need an intercepting proxy. While we’re biassed, obviously we like Pākiki Proxy. The community/free edition will be fine for getting started and learning. There are also plenty of other options available as well.

Network Testing

There are a number of online platforms which have intentionally vulnerable machines where the goal is to gain access to a “flag”. In some cases, this will require exploitation of a network service, privilege escalation, or gaining access via a web application vulnerability.

Platforms include:

• Hack the Box – these are virtual machines where you need to gain initial console access to get a user flag, then use privilege escalation to get the admin/root flag.
• VulnHub – which has a catalogue of vulnerable virtual machines.
• Various Capture the Flag competitions

In some cases, the vulnerabilities can be thought more of as hacker themed crossword puzzles and aren’t always 100% reflective of what we see in the wild, but they are a good starting point for learning new concepts and getting exposed to things you haven’t encountered before.

To get practice with English writing, consider starting a blog or doing formal writeups of what you’ve found (just make sure you don’t spoil the exercise for other people, or publish them before you’re meant to based on the platform’s rules or conventions).

Hacker Mindset

Within security, we talk about the hacker mindset, which covers things like:

• Being able to think outside the box.
• Taking a system and thinking about how it’s meant to be used, and then seeing if you can do other things.
• Working through what assumptions were made when developing or designing the system which don’t actually hold true.

A good way to develop this is to be curious and to keep learning:

• Watch conference talks - talks from world-class conferences like Defcon are available online.
• Listening to security podcasts, for example DarkNet Diaries, is really good.
• Attend the local conferences (Kawaiicon, ChCon, AppSec Days, etc).
• Read blog posts about new/novel security vulnerabilities. Places like Reddit r/netsec, and Hacker News can be good places to find these.
• Get involved in the local community, for example via the Infosec Discord channel.

Again, fully appreciating that if you’re one of our neurodivergent friends, you may struggle with some of these. And that’s totally OK!

Resources can be at varying levels. Don’t be discouraged if some of it goes completely over your head. It’s common and will get better the more you learn.

Legal Practice

Bug bounties are a fantastic and legal way to hone your skills on real world targets, and getting exposure to real world technologies and services. Just make sure you read and understand the scope. Going out of scope can be crimes.

Let us promise you that police dogs aren’t so cute in person.

It is also worth pointing out that many bug bounty programs will have had the vast majority of low hanging fruit already found, such that a traditional pentesting methodology (EG: Following the OWASP Testing Guide) probably won’t find the most interesting bugs. You can be a great pentester but it takes a vastly different approach to really do well in bug bounty programs. But that doesn’t mean they’re not good for getting real-world experience and practice.

Summary

There are obviously a large number of things to consider and learn in preparation for a job as a pentester or in cybersecurity more broadly. We look at a whole range of factors when making hiring decisions. If you demonstrate good non-technical skills, passion and have a reasonable baseline of technical skills (the more the better). Then you have a higher chance of getting an interview and an offer!

Are we hiring?

First, the sales pitch, we have a number of generous perks. We believe that if you treat your staff well, they’ll take care of our customers. Additionally, it’s the right thing to do.

For any roles, we’ll post job adverts up on:

• The about us page.
• Our LinkedIn page. It’s worth following us if you’d like a notification when we are hiring.
• Via our networks (The NZ Infosec Discord channel, etc)

For entry-level roles, or if we would like a wider pool of candidates, we’ll also post on NZ-based job sites, such as TradeMe and Seek.

Even if we’re not hiring, we like to chat with people who are passionate about security, and to help provide advice and guidance to the next generation of security professionals. If you’re based in Christchurch or Wellington, contact us. We’d love to have a coffee.